If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

computer forensics

Hi Iam currently doing an undergraduate course and Iam researching accessing files encrypted using an open source on the fly encryption program. I have done a bit of research and discovered the obvious methods like using various forms of surveillence to steal passwords, brute force attacks etc. The documentation for this software says that it unencrypts files in RAM and there is the possibility that these files can be written to the systems paging file.

I thought that maybe you could use a computer forensics tool to recover the unencrypted files from RAM or paging file? I was wondering if someone could point me in the direction of some good resources on forensics tools as I haven't been able to find much other than developers sites.....

Encase is an excellent program for finding data in the 'slack space' of sectors, as well as page files. As for recovering data from RAM...that isn't really an option. Not in the same way as recovering data from the hard disk. It *is* possible to retrieve data from RAM, but it depends on a lot of factors...do you have actual control of the system while the user is accessing the encrypted data, or are you installing a logger type of program that will capture their data while you are elsewhere?

More info from you can help us, to help you.

"Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --SpafAnyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
"...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

There is probably more but this is what I have come up with as you can see my solutions are mainly focused on stealing the password. If I had remote access to a system would I be able to access the RAM or paging file while the unencrypted files are in use or directly after? Or if I physically accesed the computer after the files had been unencrypted sometime that day but the computer had not been turned off?

You could examin files in RAM but you need a program that can "look" into another process' memory. Usually this is not allowed by the memorymanager. A debugger might be able to do this when the conditions are right. And every now and then a bug surfaces that will allow some process to look into another process' memoryspace. Ofcourse the file in question needs to be loaded before all this is possible. All this makes it highly unlikely but not impossible.

The pagefile on the other hand can be examined when the system is turned off. You would need to boot some other OS so you can access that file. Some OSs will clean the pagefile when they're shutdown. But you can always "pull the plug" to switch the machine off in mid-flight without shutting down properly.

Does that help?

Edit: Shouldn't this be moved to the forensics section?

Oliver's Law:
Experience is something you don't get until just after you need it.

Memdump is an excellent program for grabbing the contents of memory and will essentially createa raw disk image, which other tools like encase and autopsy can read and do things like string searches on. The problem you would have is figuring out exactly where in memory things are...but something like strings can be suprisingly effective on a memdump image to grab things in memory...

There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

The pagefile on the other hand can be examined when the system is turned off.

This is exectly why there is the GPO instance, (and LPO IIRC), to clear the pagefile on shutdown. Technically I believe this overwrites the pagefile to prevent just this kind of attack. of course, this is why you "rip" the power cable out of a compromised machine rather than shut it down prior to a forensic investigation.... To try to preserve the contents of the pagefile.

Don\'t SYN us.... We\'ll SYN you..... \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

He does dome interesting stuff I ended up getting the info I needed though. I had to do an assignment on computer forensics at the beginning of last year and there were three books on it in my universities library. Wasn't exactly a wealth of information

There are a lot of students and teachers on this site, plus a shower of pros on "active service" so to speak.................please ask IN ADVANCE of requirements, and I am sure that one or two of us will try to help